On Federation Transactions, the Policy Server doesn't look in to the right User Store to find the User

Document ID : KB000044928
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue :

  Randomly, in a Federation Transaction, the Policy Server selects the
  wrong User Store to authenticate the user, and as such, the user
  being not found, it isn't authorized.

  I've been observing this issue for a long time.

  2 UDs which are mixed up, are using the same servers just
  a different root is set;

Environment :

 Policy Server 12.5CR02 on RedHat 5 64bit;

Cause :

   This issue is caused by a flaw in the directory key mapping for
   defining the User Stores. This is fixed in Policy Server 12.52.

   Note that this issue is only be related to DNS names in that sense
   that the DirectoryMap is using the LDAP server name in 12.5.
   The Keys from this mapping are defined from the LDAP Directory
   namespace and server name. The fix modifies this. Policy Server
   uses User Directory Name (Name given in AdminUI) instead of the
   Server Name.

Resolution :

   As Work Around set all ldap servers FQDN aliases in the /etc/hosts file on the Policy
   Server and AdminUI, and then configure with the AdminUI
   the ldap server listed in your User Store definition
   (with loadbalancing and failover) according to the aliases
   you've put in the /etc/hosts file;

   This will solve the issue.